Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks
Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine
Microsoft on Saturday warned of a new, destructive malware being used in cyberattacks against the Ukraine government.
Described by a possible Master Boot Record (MBR) wiper, Microsoft says the malware is executed when an impacted device is powered down and disguises itself as ransomware—but lacks a ransom recovery mechanism and is intended to be destructive and brick targeted devices.
The tech giant says malware, which it refers to as “WhisperGate”, first appeared on victim systems in Ukraine on January 13, 2022 and targeted multiple organizations, all in the Ukraine.
While Microsoft says it has not found any notable associations between the observed activity (which it tracks as DEV-0586) and other known threat groups, Ukraine said Sunday it had “evidence” that Russia was behind the attacks.
A private sector cybersecurity expert in Kyiv told The Associated Press that the attackers penetrated the government networks through a shared software supplier in a supply-chain attack.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” Microsoft said in a blog post. “These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine.”
The Microsoft Threat Intelligence Center (MSTIC) has shared tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOC) related to the attacks.
“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations,” Microsoft added. “However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”
Ukraine’s SBU security service said the attacks had targeted at least 70 government websites.
“The existence of wiper malware disguised as ransomware is not new,” Calvin Gan, Senior Manager, Tactical Defence at F-Secure, told SecurityWeek. “WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the United States. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilizing wiper malware on their target organizations in the Middle East.”
Commenting on the destructive nature of the malware, Gan reminds that overwriting MBR would render the machine unbootable, making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.
“While the attacker’s true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment” Gan said, “having it targeting governmental agencies and associated establishments is a sign that they want operations in these organizations ceased immediately. Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker’s true intention of the attack while making it harder to track them.”